Covert VPN

Cobalt Strike offers VPN pivoting through its Covert VPN feature.
Covert VPN creates a network interface on the Cobalt Strike system and
bridges this interface into the target's network.

How to Deploy

To activate Covert VPN, right-click a compromised host, go to
[beacon] -> Pivoting -> Deploy VPN. Select the remote
interface you would like Covert VPN to bind to. If no local interface is
present, press Add to create one.

Deploy Covert VPN

Check Clone host MAC address to make your local interface
have the same MAC address as the remote interface.

Once a Covert VPN interface is active, you may use it like any
physical interface on your system. Use ifconfig to configure its IP address. If
your target network has a DHCP server, you may request an IP address
from it using your operating system's built-in tools.

Manage Interfaces

To manage your Covert VPN interfaces, go to Cobalt Strike
-> Interfaces. Here, Cobalt Strike will show the Covert VPN
interfaces, how they're configured, and how many bytes were transmitted
and received through each interface.

Highlight an interface and press Remove to destroy the
interface and close the remote Covert VPN client. Covert VPN will remove
its temporary files on reboot and it automatically undoes any system
changes right away.

Press Add to configure a new Covert VPN interface.

Configure an Interface

Covert VPN interfaces consist of a network tap and a channel to
communicate ethernet frames through. To configure the interface, choose
an Interface name (this is what you will manipulate through ifconfig
later) and a MAC address.

VPN Interface Setup

You must also configure the Covert VPN communication channel for your
interface. Covert VPN may communicate ethernet frames over a UDP
connection, TCP connection, ICMP, or using the HTTP protocol. The TCP (Reverse) channel has the target connect to your
Cobalt Strike instance. The TCP (Bind) channel has Cobalt Strike tunnel the VPN through Beacon.

Cobalt Strike will setup and manage communication with the Covert VPN client based on the Local Port and
Channel you select.

The Covert VPN HTTP channel makes use of the Cobalt Strike web
server. You may host other Cobalt Strike web applications and multiple Covert
VPN HTTP channels on the same port.

For best performance, use the UDP channel. The UDP channel has the least amount of overhead compared to the TCP
and HTTP channels. Use the ICMP, HTTP, or TCP (Bind) channels if you need to get past a restrictive firewall.